Hackers can use antivirus software to spread malware

on Tuesday, November 14, 2017|

As the threat of malware grows more and more dangerous every day, antivirus programs evolve and help to keep our systems protected. But how do you safeguard your computer if the protector of your digital friend can’t be trusted?

A newly-discovered exploit could allow malware to escape quarantine and infect your system. A vulnerability found in several antivirus solutions gives an attacker a way to bypass usual mechanisms and gain full control of sensitive file system areas.

Florian Bogner, an Austrian IT security professional, dubbed the exploit as 'AVGater. Many AV software provides functionality to quarantine files, but the users can restore the quarantined files whenever they want. ' Bogner detailed his findings in a blog post late last week, explaining that it takes advantage of the function of modern antiviruses to take out a certain entry from quarantine, and place it somewhere else on the host system to re-introduce the malware. This is a fundamental capability in most security packages.

When antivirus software finds a new threat on your device, it usually quarantines it to prevent it operating. The malware isn't deleted entirely though, in case it was detected as a false positive or the file's required for investigative work. If you need to, you can restore the malware from quarantine and put it back on your machine.

Using AVGator a local attacker can manipulate the antivirus' scanning engine to bring the malicious file out. Typically, a non-administrator user would not be allowed to write a file to system folders like 'Program Files' or 'Windows', but by abusing NTFS directory junctions, access to these directories would be granted.

To be able to do all of this, however, the attacker must have access to the computer they want to infect; enterprise customers can be seen more as the ones who can be a target, as users could accidentally or even intentionally release a file from quarantine, potentially infecting others on their network.